Contenu connexe
Similaire à Check Point designing a security (20)
Plus de Group of company MUK (14)
Check Point designing a security
- 2. You have been told that you have
an infected machine in your network…
You have seconds to make
a difference Now what?
©2013 Check Point Software Technologies Ltd.
2
- 3. Threats are always changing
Attackers are using any method available to
infiltrate networks
Attacks are moving up the network stack means
more information is needed to deal with them
Scaling tools and architecture is not simple as
you move up to threat landscape
If you have something worth stealing someone will try
©2013 Check Point Software Technologies Ltd.
3
- 4. Need architecture that adapts
• Can’t limit yourself to one function anymore
• Need versatility ability to find the right tool quickly
• Ability to layer capabilities on existing architectures
©2013 Check Point Software Technologies Ltd.
4
- 5. What does that really all mean
You need features that can adapt to
changing environments
Ability to react to attacks needs to be in real time
Need to think outside of the box sometimes
The more data the better
Sometimes you have to make the hard decisions
©2013 Check Point Software Technologies Ltd.
5
- 6. What does it take?
1
Know your environment
2
You need context
3
Build visibility into your network
4
Don’t forget Layer 7 and 8
©2013 Check Point Software Technologies Ltd.
6
- 8. Sounds simple but isn’t
Understand the whole Network Topology
Application Architecture is vital to defense
Network Design is vital to get the visibility you need
What do users normally do?
Can you answer the basic questions about core data flows
and business drivers?
Who are your partners
©2013 Check Point Software Technologies Ltd.
8
- 9. What does it take?
1
Know your environment
2
You need context to the data
3
Build visibility into your network
4
Don’t forget Layer 7 and 8
©2013 Check Point Software Technologies Ltd.
9
- 10. What does this all mean!
Context
• Having an IP address alone does not help
• What does the log really mean to my environment
• It’s hard to see who is actually attacking you
• Layering context is great but what do you with the data
©2013 Check Point Software Technologies Ltd.
10
- 11. How do you build context
Automated
Manual
• Geo Location
• Past Experiences
• Identity Awareness
• Application Flows
• Application Intelligence
• Business Goals and Direction
• DLP
• Relationships
• URL Filtering/Logging
• Third party information
• Hit count
• Network Architecture
• Smart Monitor/Smart Log
• Compliance Requirements
• Header Identification
• Change Control
• Machine Identification
• Lessons Learned
©2013 Check Point Software Technologies Ltd.
11
- 12. Some examples
What we used to see in a log:
Source: 1.1.1.1 Destination: 2.2.2.2 Service: TCP/80
Action: Allow
What we see now:
Source: 1.1.1.1 Destination 2.2.2.2 Service: TCP/80
User: Bob Barker Machine: PriceIsRight OS: WinXP
Browser: Chrome Server: Apache
URL: www.hackme.org/malware.exe URL Category: Hacking Site
IPS: Binary Download Country: US
Anti-Bot: reallybadstuff.v52
Packet Capture: onaplatter.exe
Action: Block
©2013 Check Point Software Technologies Ltd.
12
- 13. What does it take?
1
Know your environment
2
You need context to the data
3
Build visibility into your network
4
Don’t forget Layer 7 and 8
©2013 Check Point Software Technologies Ltd.
13
- 14. I can’t see anything
Engineer with logging in mind – The more you log
the more you can see
Ensure you are capturing all key metrics
(SmartMonitor/SNMP) at gateway and network
Learn TCPDUMP/WireShark/fw monitor
Utilize Packet Capture mode within IPS and Anti-Bot
Understand what you are capturing and why
Everything creates a log – Learn them
©2013 Check Point Software Technologies Ltd.
14
- 15. Advanced Visibility
When you identify the really nasty stuff you
need to know how to deal with it.
• Threat Emulation
• Malware Reversing
• Locating infected hosts
• Having control over network means blocking hostile code
©2013 Check Point Software Technologies Ltd.
15
- 16. What does it take?
1
Know your environment
2
You need context to the data
3
Build visibility into your network
4
Don’t forget Layer 7 and 8
©2013 Check Point Software Technologies Ltd.
16
- 17. Layer 7
Without application layer data finding
golden nugget is almost impossible
Email
Data
Exfil
Web
Anti-Bot/DLP
Application Control/URL Filtering
IPS
IP Addresses / Services / Time / Direction
©2013 Check Point Software Technologies Ltd.
17
- 18. Layer 7
Once you know the attack vectors you can trace the risk
to your network and maybe the actual attacker
Fraud
Event
Corp
Espionage
Hacking
Event
CEO
©2013 Check Point Software Technologies Ltd.
18
- 19. Layer 8 – Man humans are difficult
Without management on board having all the information
in the world won’t help
Incident Response is vital – Plan, Test, Evaluate, Repeat
Do you have a plan for interacting with law enforcement
Who is really attacking you and why
Know your gaps and try and address them
©2013 Check Point Software Technologies Ltd.
19
- 20. Core Items Need
As many blades as possible with advanced features
(Packet Capture/URL Logging/SMTP Information)
Large logging infrastructure
A Network Map
A Org Chart
SmartEvent
SmartLog
Enough resources to generate higher level data
©2013 Check Point Software Technologies Ltd.
20
- 21. Putting it all together
For any intelligence system try to answer
the following questions:
Who: Financial officer was targeted
What: Installation of malware on PC, attempted to upload Excel
spreadsheet to C&C
Where: PC location within executive zone, C&C located in Brazil
When: Over 5 month period multiple spear fishing emails
Why: After full analysis determined that excel spreadsheet would give
completive advantage to competition
Infrastructure – DLP, Anti-Bot, Anti-Virus, Endpoint, Logging, SmartEvent
©2013 Check Point Software Technologies Ltd.
21
- 22. What’s the point of all of this
Time for analysis and full understand of an event
is greatly decreased
Ability to identify who is targeted and what the risk really is
You need to make blocking decisions quickly
Talking about it over 5 days isn’t going to help
If you can react to malware events in minutes or seconds
you are doing as good as the best
©2013 Check Point Software Technologies Ltd.
22
- 23. How can you use Check Point - Gateway
• Firewall
- Advanced Logging Options such as URL logging
Log all rules
• Utilize Application Control and URL Filtering
• Identity Awareness
• Anti-Bot/Anti-Virus
- Utilize Packet Capture Ability
• IPS
- Utilize Packet Capture Ability
- Ensure advanced features are enabled on the IPS Blade
- GeoLocation
©2013 Check Point Software Technologies Ltd.
23
- 24. How can you use Check Point Management
• SmartLog
- Create predefined searches for specific events – Such as
Logon / Logoff events for Identity logs
• SmartEvent
• Endpoint
- Compliance Checks
- MD5/OS Checks
- AV Events
- Firewall Logs
©2013 Check Point Software Technologies Ltd.
24